Hey, how did you get in here? The main weakness in application security in 2021 has been failed access control, according to OWASP • The Register
The Open Web App Security Project has released its list of the top ten vulnerabilities in web software, as part of the general movement to make software less dangerous at the design stage.
New entries in the top 10 flaws highlighted by the project include “insecure design”, linked to specific design flaws, and “software and data integrity failures”. The latter refers to “making assumptions about software updates, critical data, and CI / CD pipelines without checking integrity.”
The release is a draft for public comment and peer review, with a final version to be released later this year.
The number one web application security vulnerability this year is Broken Access Control, with OWASP sullenly noting: “The 34 CWE * mapped to Broken Access Control had more occurrences in applications than any other category. “
Non-specific examples The cited OWASP includes failure to validate user credentials for browser access to administration pages.
Crypto failures have also been Underline by OWASP, arriving at number two on this year’s list. Previously, this category was known as “sensitive data exposure”, with the organization noting that the old description was “a general symptom rather than a root cause.”
While the new name of this category conjures up images of kiddie script breaking RSA-4096 encryption with a single click, the mundane truth is that it covers everything from hard-coded passwords to insufficient entropy of words. password, as well as “broken or risky crypto algorithms.” Specific examples of bad practice under “cryptographic failure” include storing passwords without hashing or salting them or not enforcing TLS on login-protected web pages.
Code injection and cross-site scripting come third, with other common weaknesses including security configuration errors, outdated libraries, and server monitoring and logging failures.
The OWASP annually ranks the top ten by reviewing industry data on vulnerabilities discovered in web software, combining this with an industry survey asking frontline people what flaws they’ve seen in the world. over the past year and which deserve wider dissemination.
The organization explained:
In 2018, Martin Knobloch, then president of OWASP, said El Reg that the top ten list had been both a blessing and a curse, saying, “A guide on how to validate is not a guide on how to build security.” ®
* CWE: enumeration of common weaknesses. See also CVE, Common Vulnerability Enumeration. A vendor independent means of tracking faults using a unique reference number.